java.security.InvalidKeyException: Not an EC key: RSA #259
Comments
|
@MakakWasTaken please be aware, that BDEW does NOT work out of the box, because the key exchange stuff is not available in the underlying WSS4J library. Please see the respective entry in the discussion area. Also please bare in mind, that BDEW wants Elliptic Curve (EC) based certificates instead of RSA ones. So this will be more than just adding some PModes.... |
|
I am guessing that you're referring to #105. I am however a bit unsure on where to start with the implementation. I am guessing that I need some sort of PMode aware crypto factory to customize the handling of the encrypt/sign based on the PMode resolver. So if the PMode ID starts with BDEW it would handle it with the EC based certificates. And likewise if it starts with ENTSOG I would just continue to handle it in the same way as before.
I read the discussion that you referred to, I however understood #105 (comment) as if the problem had been resolved and it was now implemented (from 2.7.5 and onwards). Is there anything else that I need to implement in order to start receiving with the BDEW profile. Another thing is that when I started implementing the new BDEW profile, it caused the existing sending of ENTSOG to start failing. The following code is what is used for sending the message that seems to cause an error. Phase4ENTSOGSender.ENTSOGPayloadParams entsogParams = new Phase4ENTSOGSender.ENTSOGPayloadParams();
eResult = Phase4ENTSOGSender.builder()
// Certificate
.cryptoFactory(CryptoHelper.cryptoFactory)
.receiverCertificate(certificate)
// Setup
.endpointURL(endpointURL)
.action("http://docs.oasis-open.org/ebxml-msg/as4/200902/action")
.service(serviceType, service)
.agreementRef(agreement)
.httpRetrySettings(new HttpRetrySettings().setMaxRetries(0))
// From Partner
.fromRole(senderRole)
.fromPartyID(senderId)
.fromPartyIDType("http://www.entsoe.eu/eic-codes/eic-party-codes-x")
// To Partner
.toRole(receiverRole)
.toPartyID(receiverId)
.toPartyIDType("http://www.entsoe.eu/eic-codes/eic-party-codes-x")
.pmodeID(as4Type)
// Payload
.payload(aPayloadElement, entsogParams)
.signalMsgConsumer(signalConsumer)
.setSigningKeyIdentifierType(ECryptoKeyIdentifierType.BST_DIRECT_REFERENCE)
.encryptionKeyIdentifierType(ECryptoKeyIdentifierType.BST_DIRECT_REFERENCE)
// Send the message
.sendMessageAndCheckForReceipt(responseMessage::set);Running this code gives me the InvalidKeyException. Which I thought was only needed when handling the BDEW profile. Is there some extra that I need to do in my CryptoFactory to account for this. If there are questions to any of the variables please feel free to ask 😄 Thanks in advance :D |
|
I figured part of the problem out. I noticated that a default profile was being selected (bdew). Which caused the validation to fail. I temporarily fixed the problem by using the An example of how to properly do this would be much appreciated. EDIT: I just found this #244 (comment) 😄 Is it possible to change the receiving profile dynamically or is this done automatically? |
|
As handling multiple AS4 profiles becomes more and more of an issue, I started assembling a Wiki page that should deal with that topic: https://github.com/phax/phase4/wiki/Multi-Profile-Handling - that page is not yet finalized but it should provide a good starting point One of the points mentioned there is also the AS4 profile ID for sending. This has indeed been resolved by #244 and will be part of the upcoming 2.8.2 release. An indeed the implementation of https://issues.apache.org/jira/browse/SANTUARIO-511 in the 3.x branch of Apache Santuario opened up for an easier key exchange, but you need to implement it yourself. It's not "hidden" in the phase4 code atm. hth |
|
I have finally had the time to sit down and have a look at this again. I have since last posting converted to version 3.0.0. I have also generated some certificates using openssl commands used for certificate# Create Key openssl ecparam -name brainpoolP256r1 -genkey -out ecdsa_private_key.pem -param_enc named_curve # Create Certificate from key openssl req -new -x509 -key ecdsa_private_key.pem -out ecdsa_public_key.cer -days 99999 # Create .p12 keystore using the private key and public key. openssl pkcs12 -export -out keystore.p12 -inkey ecdsa_private_key.pem -in ecdsa_public_key.cer I am attempting to send a BDEW message but have now ended up with the message: When I was looking up ECNamedCurveSpec I found the This has now left me without any idea of how to continue. The way that I set up the import org.apache.xml.security.Init;
import org.apache.xml.security.algorithms.JCEMapper;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.jsse.provider.BouncyCastleJsseProvider;
import java.security.Security;
public class GeneralConfig {
static {
// Initialize the XML Security library
Init.init();
// Register Bouncy Castle as a security provider
Security.addProvider(new BouncyCastleProvider());
Security.addProvider(new BouncyCastleJsseProvider());
// Set Bouncy Castle as the provider for specific algorithms
JCEMapper.setProviderId(BouncyCastleProvider.PROVIDER_NAME);
}
}The keystore I use is using PKCS12 and I start it using I have also tried looking in the #105 discussion, but it seems that the discussion has moved to a Slack channel which I am not apart of. In case there is some relevant information in the Slack, could you invite me? ([email protected]) I apologize if I have missed something obvious. Neither Java or Cryptography are my strong suite, but I am trying to learn as I go along :) If more information is needed do not hesitate to ask. If there are some good resources for learning more about the AS4 in general I would also happily accept any suggestions. |
|
In the meantime we moved on bilaterally and are waiting for feedback. An updated will be provided as soon as it is available |
I have recently started receiving the following error:
java.security.InvalidKeyException: Not an EC key: RSAI am not really sure what causes the error, but suspect some sort of CryptoFactory problem.
The error started appearing after I added a second profile. I wanted my AS4 server to be able to both receive/send ENTSOG aswell as BDEW. This started with providing some problems with the PMode, which was handled by setting a custom PModeResolver:
The error then shifted to the sending end of the application. It won't let me set outbound files now because of the beforementioned error.
If there are any guides on how to set up multiple profiles in the same servlet it would be much appreciated. I am also aware that I could create two different endpoints for the different types of profiles, but I would prefer having them as a single endpoint instead as the handling is mostly the same for the received files.
Some configuration and the full stacktrace:
pom.xml
Full stacktrace
The text was updated successfully, but these errors were encountered: